Squash changes containing private information

There were a lot of changes since the previous commit, but a lot of them contained personnal information about users. All thos changes got stashed into a single commit (history is kept in a different place) and private information was moved in a separate private repository
author: Ismaël Bouya <ismael.bouya@normalesup.org> 2023-10-04 01:35:06 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2023-10-04 02:11:48 +0200
commit: 1a64deeb894dc95e2645a75771732c6cc53a79ad (patch)
tree: 1b9df4838f894577a09b9b260151756272efeb53 /systems/eldiron/websites/dav/davical.nix
parent: fa25ffd4583cc362075cd5e1b4130f33306103f0 (diff)
download: Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.gz
Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.zst
Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.zip
1 files changed, 128 insertions, 0 deletions
diff --git a/systems/eldiron/websites/dav/davical.nix b/systems/eldiron/websites/dav/davical.nix
new file mode 100644
index 0000000..b418cb8
--- /dev/null
+++ b/systems/eldiron/websites/dav/davical.nix
@@ -0,0 +1,128 @@
+{ stdenv, fetchurl, gettext, writeText, env, awl, davical, config }:
+rec {
+  keys."webapps/dav-davical" = {
+    user = apache.user;
+    group = apache.group;
+    permissions = "0400";
+    text = ''
+      <?php
+      $c->pg_connect[] = "dbname=${env.postgresql.database} user=${env.postgresql.user} host=${env.postgresql.socket} password=${env.postgresql.password}";
+      $c->readonly_webdav_collections = false;
+      $c->admin_email ='davical@tools.immae.eu';
+      $c->restrict_setup_to_admin = true;
+      $c->collections_always_exist = false;
+      $c->external_refresh = 60;
+      $c->enable_scheduling = true;
+      $c->iMIP = (object) array("send_email" => true);
+      $c->authenticate_hook['optional'] = false;
+      $c->authenticate_hook['call'] = 'LDAP_check';
+      $c->authenticate_hook['config'] = array(
+          'host' => '${env.ldap.host}',
+          'port' => '389',
+          'startTLS' => 'yes',
+          'bindDN'=> '${env.ldap.dn}',
+          'passDN'=> '${env.ldap.password}',
+          'protocolVersion' => '3',
+          'baseDNUsers'=> array('ou=users,${env.ldap.base}', 'ou=group_users,${env.ldap.base}'),
+          'filterUsers' => '${env.ldap.filter}',
+          'baseDNGroups' => 'ou=groups,${env.ldap.base}',
+          'filterGroups' => 'memberOf=cn=groups,${env.ldap.dn}',
+          'mapping_field' => array(
+            "username" => "uid",
+            "fullname" => "cn",
+            "email"    => "mail",
+            "modified" => "modifyTimestamp",
+          ),
+          'format_updated'=> array('Y' => array(0,4),'m' => array(4,2),'d'=> array(6,2),'H' => array(8,2),'M'=>array(10,2),'S' => array(12,2)),
+            /** used to set default value for all users, will be overcharged by ldap if defined also in mapping_field **/
+      //    'default_value' => array("date_format_type" => "E","locale" => "fr_FR"),
+          'group_mapping_field' => array(
+            "username"    => "cn",
+            "updated"     => "modifyTimestamp",
+            "fullname"    => "givenName",
+            "displayname" => "givenName",
+            "members"     => "memberUid",
+            "email"       => "mail",
+          ),
+        );
+      $c->do_not_sync_from_ldap = array('admin' => true);
+      include('drivers_ldap.php');
+    '';
+  };
+  webapp = davical.override { davical_config = config.secrets.fullPaths."webapps/dav-davical"; };
+  webRoot = "${webapp}/htdocs";
+  apache = rec {
+    user = "wwwrun";
+    group = "wwwrun";
+    modules = [ "proxy_fcgi" ];
+    root = webRoot;
+    vhostConf = socket: ''
+      Alias /davical "${root}"
+      Alias /caldav.php  "${root}/caldav.php"
+      <Directory "${root}">
+        DirectoryIndex index.php index.html
+        AcceptPathInfo On
+        AllowOverride None
+        Require all granted
+        <FilesMatch "\.php$">
+          CGIPassAuth on
+          SetHandler "proxy:unix:${socket}|fcgi://localhost"
+        </FilesMatch>
+        RewriteEngine On
+        <IfModule mod_headers.c>
+                Header unset Access-Control-Allow-Origin
+                Header unset Access-Control-Allow-Methods
+                Header unset Access-Control-Allow-Headers
+                Header unset Access-Control-Allow-Credentials
+                Header unset Access-Control-Expose-Headers
+                Header always set Access-Control-Allow-Origin "*"
+                Header always set Access-Control-Allow-Methods "GET,POST,OPTIONS,PROPFIND,PROPPATCH,REPORT,PUT,MOVE,DELETE,LOCK,UNLOCK"
+                Header always set Access-Control-Allow-Headers "User-Agent,Authorization,Content-type,Depth,If-match,If-None-Match,Lock-Token,Timeout,Destination,Overwrite,Prefer,X-client,X-Requested-With"
+                Header always set Access-Control-Allow-Credentials false
+                Header always set Access-Control-Expose-Headers "Etag,Preference-Applied"
+                RewriteCond %{HTTP:Access-Control-Request-Method} !^$
+                RewriteCond %{REQUEST_METHOD} OPTIONS
+                RewriteRule ^(.*)$ $1 [R=200,L]
+        </IfModule>
+      </Directory>
+      '';
+  };
+  phpFpm = rec {
+    serviceDeps = [ "postgresql.service" "openldap.service" ];
+    basedir = builtins.concatStringsSep ":" [ webapp config.secrets.fullPaths."webapps/dav-davical" awl ];
+    pool = {
+      "listen.owner" = apache.user;
+      "listen.group" = apache.group;
+      "pm" = "dynamic";
+      "pm.max_children" = "60";
+      "pm.start_servers" = "2";
+      "pm.min_spare_servers" = "1";
+      "pm.max_spare_servers" = "10";
+      # Needed to avoid clashes in browser cookies (same domain)
+      "php_value[session.name]" = "DavicalPHPSESSID";
+      "php_admin_value[open_basedir]" = "${basedir}:/tmp";
+      "php_admin_value[include_path]" = "${awl}/inc:${webapp}/inc";
+      "php_admin_value[session.save_handler]" = "redis";
+      "php_admin_value[session.save_path]" = "'unix:///run/redis-php-sessions/redis.sock?persistent=1&prefix=Tools:Davical:'";
+      "php_flag[magic_quotes_gpc]" = "Off";
+      "php_flag[register_globals]" = "Off";
+      "php_admin_value[error_reporting]" = "E_ALL & ~E_NOTICE";
+      "php_admin_value[default_charset]" = "utf-8";
+      "php_flag[magic_quotes_runtime]" = "Off";
+    };
+  };
+}
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2023-10-04 01:35:06 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2023-10-04 02:11:48 +0200
commit	1a64deeb894dc95e2645a75771732c6cc53a79ad (patch)
tree	1b9df4838f894577a09b9b260151756272efeb53 /systems/eldiron/websites/dav/davical.nix
parent	fa25ffd4583cc362075cd5e1b4130f33306103f0 (diff)
download	Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.gz Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.zst Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.zip

diff --git a/systems/eldiron/websites/dav/davical.nix b/systems/eldiron/websites/dav/davical.nix new file mode 100644 index 0000000..b418cb8 --- /dev/null +++ b/systems/eldiron/websites/dav/davical.nix
@@ -0,0 +1,128 @@
	1	{ stdenv, fetchurl, gettext, writeText, env, awl, davical, config }:
	2	rec {
	3	keys."webapps/dav-davical" = {
	4	user = apache.user;
	5	group = apache.group;
	6	permissions = "0400";
	7	text = ''
	8	<?php
	9	$c->pg_connect[] = "dbname=${env.postgresql.database} user=${env.postgresql.user} host=${env.postgresql.socket} password=${env.postgresql.password}";
	10
	11	$c->readonly_webdav_collections = false;
	12
	13	$c->admin_email ='davical@tools.immae.eu';
	14
	15	$c->restrict_setup_to_admin = true;
	16
	17	$c->collections_always_exist = false;
	18
	19	$c->external_refresh = 60;
	20
	21	$c->enable_scheduling = true;
	22
	23	$c->iMIP = (object) array("send_email" => true);
	24
	25	$c->authenticate_hook['optional'] = false;
	26	$c->authenticate_hook['call'] = 'LDAP_check';
	27	$c->authenticate_hook['config'] = array(
	28	'host' => '${env.ldap.host}',
	29	'port' => '389',
	30	'startTLS' => 'yes',
	31	'bindDN'=> '${env.ldap.dn}',
	32	'passDN'=> '${env.ldap.password}',
	33	'protocolVersion' => '3',
	34	'baseDNUsers'=> array('ou=users,${env.ldap.base}', 'ou=group_users,${env.ldap.base}'),
	35	'filterUsers' => '${env.ldap.filter}',
	36	'baseDNGroups' => 'ou=groups,${env.ldap.base}',
	37	'filterGroups' => 'memberOf=cn=groups,${env.ldap.dn}',
	38	'mapping_field' => array(
	39	"username" => "uid",
	40	"fullname" => "cn",
	41	"email" => "mail",
	42	"modified" => "modifyTimestamp",
	43	),
	44	'format_updated'=> array('Y' => array(0,4),'m' => array(4,2),'d'=> array(6,2),'H' => array(8,2),'M'=>array(10,2),'S' => array(12,2)),
	45	/ used to set default value for all users, will be overcharged by ldap if defined also in mapping_field /
	46	// 'default_value' => array("date_format_type" => "E","locale" => "fr_FR"),
	47	'group_mapping_field' => array(
	48	"username" => "cn",
	49	"updated" => "modifyTimestamp",
	50	"fullname" => "givenName",
	51	"displayname" => "givenName",
	52	"members" => "memberUid",
	53	"email" => "mail",
	54	),
	55	);
	56
	57	$c->do_not_sync_from_ldap = array('admin' => true);
	58	include('drivers_ldap.php');
	59	'';
	60	};
	61	webapp = davical.override { davical_config = config.secrets.fullPaths."webapps/dav-davical"; };
	62	webRoot = "${webapp}/htdocs";
	63	apache = rec {
	64	user = "wwwrun";
	65	group = "wwwrun";
	66	modules = [ "proxy_fcgi" ];
	67	root = webRoot;
	68	vhostConf = socket: ''
	69	Alias /davical "${root}"
	70	Alias /caldav.php "${root}/caldav.php"
	71	<Directory "${root}">
	72	DirectoryIndex index.php index.html
	73	AcceptPathInfo On
	74	AllowOverride None
	75	Require all granted
	76
	77	<FilesMatch "\.php$">
	78	CGIPassAuth on
	79	SetHandler "proxy:unix:${socket}\|fcgi://localhost"
	80	</FilesMatch>
	81
	82	RewriteEngine On
	83	<IfModule mod_headers.c>
	84	Header unset Access-Control-Allow-Origin
	85	Header unset Access-Control-Allow-Methods
	86	Header unset Access-Control-Allow-Headers
	87	Header unset Access-Control-Allow-Credentials
	88	Header unset Access-Control-Expose-Headers
	89
	90	Header always set Access-Control-Allow-Origin "*"
	91	Header always set Access-Control-Allow-Methods "GET,POST,OPTIONS,PROPFIND,PROPPATCH,REPORT,PUT,MOVE,DELETE,LOCK,UNLOCK"
	92	Header always set Access-Control-Allow-Headers "User-Agent,Authorization,Content-type,Depth,If-match,If-None-Match,Lock-Token,Timeout,Destination,Overwrite,Prefer,X-client,X-Requested-With"
	93	Header always set Access-Control-Allow-Credentials false
	94	Header always set Access-Control-Expose-Headers "Etag,Preference-Applied"
	95
	96	RewriteCond %{HTTP:Access-Control-Request-Method} !^$
	97	RewriteCond %{REQUEST_METHOD} OPTIONS
	98	RewriteRule ^(.*)$ $1 [R=200,L]
	99	</IfModule>
	100	</Directory>
	101	'';
	102	};
	103	phpFpm = rec {
	104	serviceDeps = [ "postgresql.service" "openldap.service" ];
	105	basedir = builtins.concatStringsSep ":" [ webapp config.secrets.fullPaths."webapps/dav-davical" awl ];
	106	pool = {
	107	"listen.owner" = apache.user;
	108	"listen.group" = apache.group;
	109	"pm" = "dynamic";
	110	"pm.max_children" = "60";
	111	"pm.start_servers" = "2";
	112	"pm.min_spare_servers" = "1";
	113	"pm.max_spare_servers" = "10";
	114
	115	# Needed to avoid clashes in browser cookies (same domain)
	116	"php_value[session.name]" = "DavicalPHPSESSID";
	117	"php_admin_value[open_basedir]" = "${basedir}:/tmp";
	118	"php_admin_value[include_path]" = "${awl}/inc:${webapp}/inc";
	119	"php_admin_value[session.save_handler]" = "redis";
	120	"php_admin_value[session.save_path]" = "'unix:///run/redis-php-sessions/redis.sock?persistent=1&prefix=Tools:Davical:'";
	121	"php_flag[magic_quotes_gpc]" = "Off";
	122	"php_flag[register_globals]" = "Off";
	123	"php_admin_value[error_reporting]" = "E_ALL & ~E_NOTICE";
	124	"php_admin_value[default_charset]" = "utf-8";
	125	"php_flag[magic_quotes_runtime]" = "Off";
	126	};
	127	};
	128	}